Mexico’s stolen radiation source: It could happen here

At 1:30 a.m. on December 2, gunmen forced two truck drivers who had taken a nap at a gas station on the outskirts of Mexico City to surrender their vehicle. The thieves took off with the truck’s heavy and hazardous cargo: a decommissioned teletherapy unit that was once used for cancer treatment and still contained a small capsule of highly radioactive material. It’s unclear whether the thieves fully understood what they were stealing. According to statements by the Mexican authorities, they probably didn’t.

The capsule’s contents—some 3,000 curies of cobalt-60—made it a “category 1” radiation source, the most dangerous of five categories defined by the International Atomic Energy Agency (IAEA) to rank radioactive materials according to the risk they pose to people working with them. Taken out of their shielding containers, category-1 sources can kill anyone who is exposed to them at close range for a few minutes to an hour.

Two days later, the police found the radioactive capsule abandoned in a corn field. Although someone had extracted the capsule from its shielding (and likely received an unhealthy radiation dose in the process), there were no immediate reports of serious injuries and no contamination found in the area nearby. Thus the consequences of this incident appeared to be less grave than in two earlier cases—in Brazil in 1987, and in Thailand in 2000—when unsuspecting scavengers who dismantled old radiotherapy machines exposed themselves and their families to very high doses of radiation. Four of the exposed people died in Brazil, and three in Thailand, and more were seriously injured. The cost of cleanup and recovery for their communities was substantial.

Officials, especially in the United States, were relieved that the stolen Mexican capsule did not end up with terrorists, who could have used it to build a “dirty bomb.” Even though many planning scenarios predict that such a bomb would probably cause few radiation-related deaths, its economic impact could be disastrous.

Early on in this case, the local police had deemed it unlikely that terrorists were involved, but there was still a risk that one of Mexico’s powerful criminal organizations would get to the radioactive booty first and try to sell it to the highest bidder. Although the truck-jacking ended without the worst case materializing, it should serve as a wakeup call, not just in Mexico but also in the United States and elsewhere. Dangerous radiation sources remain vulnerable to theft, especially when they are out on the road. There is also poorly protected radioactive material in hospitals and other facilities. Improving security requires tougher regulations and greater risk awareness in the industry. Unfortunately, the United States is no exception, so it’s time for the country to get serious about locking up its radioactive material.

Parking problems. It’s important to note that the Mexican incident, unlike the ones in Brazil and Thailand, was not primarily the result of lax regulations and poor government oversight. In fact, the teletherapy unit was stolen while it was en route to a proper disposal. Moreover, it was stolen at gunpoint. Most countries do not require transports of category-1 sources to be protected by armed guards. US federal regulations have no such provision either, although a few states require law-enforcement escorts within their jurisdiction.

The Mexican drivers’ bad parking choice is a different matter. In many countries, including the United States, regulations stipulate that truck drivers transporting dangerous radiation sources rest only in parking areas that are deemed secure. The legal definition of such “safe havens,” however, is often not very specific. In the United States, they include “well-lit” sites where law enforcement is “accessible for timely response,” but it’s up to the drivers themselves to identify such places. For category-1 transports, companies are required to coordinate, in advance, with states they pass through and to ask them for a list of safe havens. However, the states are not required to provide a list, and often they don’t.

Still, there hasn’t been a category-1 source stolen in transit in the United States. Does this mean that US transports of high-activity sources are generally secure? Not really. A few recent cases in North America and Western Europe demonstrate why:

In July 2011, in the parking lot of a Texas hotel, a thief broke into a truck and stole a radiography camera containing 33.7 curies of iridium-192. The truck drivers had forgotten to switch on the vehicle’s alarm system when they went to dinner. Even though the hotel’s security camera recorded the thief’s car as it left, the device was never found.

In February 2013, thieves stole another radiography camera in a small town north of Manchester, England. A courier had left it in his van, which was parked in front of the residence where he stopped for a weekend. The device turned up a month later, at a nearby shopping mall, luckily undamaged.

In Canada, the Nuclear Safety Commission lists 17 cases from the past eight years in which radioactive materials were stolen from vehicles, or in which the vehicle itself was stolen with a radiation source in the trunk. Five of these cases involved radiography cameras. All five were eventually recovered.

Radiography cameras are category-2 devices. These contain less radioactivity than category-1 sources, but are still classified by the IAEA as “very dangerous.” Category-2 sources can cause permanent injury to a person who handles them unsafely for periods of minutes to hours, and they can kill a person who stays nearby and unprotected for hours or days. For terrorists, they could certainly be of interest, too, because the amount of material is enough to cause substantial damage when used as a weapon.

Perhaps the most worrisome lesson of the Mexican incident and the other ones above is this: If hapless truck-jackers can steal high-activity sources by accident, a well-organized terrorist group could certainly do so in a planned operation.

Stronger security abroad. Transport security is rightly considered the weakest link. But this doesn’t mean that radiation sources installed in buildings or used at temporary work sites are much better protected.

It is true that, in many countries, the situation today is somewhat better than it was 10 years ago. Largely, this is because the US government made the issue a priority after 9/11, when it launched programs for security upgrades in countries where unprotected radiation sources were abundant and presumably within reach of terrorists. US experts have worked in Eastern Europe, Central Asia, the Middle East, Africa, and Latin America, helping local partners install security equipment in hospitals and at disposal sites. They have also recovered radiation sources from abandoned facilities and assisted foreign governments in formulating new regulations to improve oversight. (Remarkably, however, the United States has not funded projects to increase transport security, with a few exceptions.) Others, especially the European Union, have also sponsored sources-protection efforts abroad, mostly in collaboration with the IAEA.

At the same time, US diplomats (and those of like-minded nations) have worked through the IAEA to push for a strengthened international regime to control radioactive material. The results have been mixed. Although the IAEA’s revised Code of Conduct on the Safety and Security of Radioactive Sources has been endorsed by 119 nations since its inception in 2004, it is still a voluntary document. This means that different countries are implementing its principles at differing paces and levels of rigor.

How to proceed from here is one of the issues to be discussed in March, when President Obama and 52 other heads of government meet at the Nuclear Security Summit in The Hague. But it’s not a good sign that the summit’s final document will reportedly leave out the modest commitment by all participating nations to implement the Code of Conduct, at least for their category-1 sources, by 2016.

Slow progress at home. While US initiatives to strengthen radiological security elsewhere in the world have been at least partially successful, progress at home has been surprisingly difficult. According to a 2008 report by the National Academies, there are more than 5,000 devices containing high-activity radiation sources in the country, including 700 with category-1 sources. So, if terrorists wanted to mount a dirty bomb attack in the United States, they might not have to go abroad to try to steal the material for it.

The notion that US sources may be targets for terrorists is a rather new one for many in the industry. Traditionally, regulations for handling of these devices have been written to prevent accidents, not deliberate misuse. The underlying mindset was that high-activity sources were largely “self-protecting,” because their strong radiation would surely deter anyone from tampering with them. This attitude began to change only after 9/11, which demonstrated, sadly, that the domestic threat could include technologically capable terrorists with no regard for their personal safety. As a consequence, the Nuclear Regulatory Commission (NRC) began to introduce new security provisions—but not quite as fast or as vigorously as expected.

One important improvement was the implementation of a national register for all US category-1 and -2 sources. The NRC’s National Source Tracking System, which went online in 2009, contains information about who currently owns radiation sources (the “licensees”), and where their devices are kept. Rigorous bookkeeping is necessary to prevent sources from becoming “orphaned” after they reach the end of their service lives. Proper disposal of sources can be expensive, and for many types there isn’t even a commercial disposal option available, forcing the owner to keep them in storage. There is a risk that such devices will end up at unregulated waste dumps or be illegally sold. A government-funded program to mitigate this risk by recovering high-activity sources declared as “unwanted” by their owners has been working for more than 10 years, but a substantial backlog remains.

The tracking system is a major step forward. But unlike a safe in a bank, an entry in a data bank offers no physical protection. To be sure, the NRC’s new security regulations, gradually introduced since 2005, require physical barriers to prevent unauthorized access to sources, too (unless the licensee opts for “direct control … by approved individuals at all times”). The regulations also include provisions for intruder detection (again, either through technical systems or “direct visual surveillance”), mandatory background checks for staff, and security protocols to speed up response to an actual or attempted theft.

Not good enough. Many stakeholders argue that the current regulations provide good-enough protection. In reality, however, there is still little reason for such confidence. In fact, in some US facilities, security conditions remain hair-raising, even when these facilities have been checked by inspectors. This came to light in a 2012 report published by the Government Accountability Office: GAO investigators visited a number of hospitals all over the country to see how the NRC’s new security rules were being implemented, and came back with some sobering findings. For example, one hospital kept a blood irradiator, a category-1 source containing 1,500 curies of cesium-137, in a room with the access code written on the door frame. Another hospital kept a similar device on a wheeled pallet down the hall from a loading dock.

GAO puts part of the blame on how the regulations are formulated, noting that they provide a general framework but lack detailed requirements for how to implement security systems in practice. Without precise specifications, such as the number of cameras and the types of locks to be installed, facility managers have significant leeway. Some, then, tend to do only what’s absolutely necessary to comply with the law. This problem is aggravated by the fact that managers and their staff often don’t understand what kinds of threats they need to protect their sources against. Moreover, some remain unconvinced or oblivious to the notion that their radioactive material might be of interest to terrorists.

The GAO investigation also casts doubt on the quality of regulatory oversight. Indeed, it’s hard to imagine how hospitals with such poor security could have passed routine inspections. According to the report, some inspectors have complained that the NRC hasn’t trained them well enough for their new task of checking the security, rather than just the safety, of radiation facilities.

Domestic threat reduction. Like the GAO, the National Nuclear Security Administration is also concerned about vulnerable sources in US facilities, and has initiated its own programs to address some of the gaps in the system. Its Global Threat Reduction Initiative (GTRI), which was originally launched to lock down radioactive material overseas, has since begun to offer its services at home, too. Among other things, GTRI has developed security kits that can be retrofitted to radioactive devices. For blood irradiators in hospitals, for instance, such kits can provide an extra layer of security by making it harder for a thief to get the radiation source out of the instrument. (Manufacturers of these devices collaborated with GTRI for this purpose.)

Starting in 2008, GTRI’s domestic program has identified more than 2,900 US hospitals and industrial buildings that may need security upgrades beyond the level required by law. When the managers of these facilities agree, GTRI’s experts come in, install a tailor-made security system, and train the staff. As this program is entirely voluntary for the participating licensees, they receive the upgrades basically free of charge, including the first few years of maintenance.

So far, GTRI’s domestic program has completed work at about 500 of the 2,900 identified buildings. However, budget cuts have slowed progress. At the current pace, work at the last of the remaining sites won’t be completed until the late 2020s. While the main impediment is the lack of funds, another limiting factor is that many facility managers either don’t know of the program or don’t see the necessity to sign up for it.

Creating a “security culture.” Ultimately, good security needs both: strong, strictly enforced regulations and actively participating licensees. Strong regulations are required because investments in security usually don’t generate profits for the businesses. But no security system can work effectively without a vigilant staff that understands the terrorism risk is real. Much like the long-established “safety culture” that has almost certainly prevented many serious radiation accidents, a new “security culture” is needed. This means that businesses, regulators, and government agencies are all aware of security threats, understand their individual responsibilities, and adapt their practices accordingly.

For transport security, the active involvement of all stakeholders is of particular importance. On the road, there are fewer technical protection measures available than inside buildings, so security depends even more on the people in charge: the drivers. They must be vigilant and prepared. This is primarily the responsibility of their bosses, who, in turn, must be able to rely on adequate rules and specific guidance from the regulator. Businesses must also be able to count on responsive state agencies and law enforcement. The federal government can set financial incentives to invest in better security. It is also in a unique position to provide the other parties with the information necessary to better understand the nature of the threats they might be facing. Here are some specific recommendations for the various parties involved in transport security:

The NRC must further strengthen its regulations. Given the scale of damage that a “dirty bomb” could cause, it’s difficult to understand why there are still no armed escorts required for category-1 transports. A real-time location-tracking system should be mandatory, not just for vehicles transporting category-1 sources, but also for those with category-2 sources. Similarly, the requirement for drivers to identify “safe havens” for rest stops, before their trip begins, should be extended to category-2 transports.

The states could do a lot more, too. Those that do not yet require armed escorts for category-1 transports should implement such a policy soon—and not wait for the NRC to change its rules. And if there is one lesson from the Mexican incident for the states, it’s that all of them should be proactive when it comes to helping licensees identify secure parking areas.

The companies themselves play the main role in protecting radioactive sources. They need to be aware that someone might be after their cargo. Drivers, in particular, must be trained to follow security protocols, avoid risky situations, and respond appropriately should they come under attack. Managers should equip their trucks with low-cost security systems—such as GPS tracking systems, duress buttons, or vehicle disabling devices—even when they are not legally required to do so.

Improving transport security remains an urgent matter for all parties involved, but the NRC and the states must pave the way – and quickly. In addition to the measures outlined above, a new program should be initiated in which experts from government and industry work together to develop better security concepts for sources in transit.

At the same time, the United States must substantially step up its efforts to protect its vulnerable radiation sources in hospitals and other facilities. Fewer than 2,500 buildings need better security systems, and this shouldn’t take 15 years to complete. With more money for GTRI’s domestic program, and with more aggressive promotion to facility managers, this task could likely be accomplished in less than five years. The highest-priority buildings, those with a radioactive inventory of more than 1,000 curies, could – and should – be completed in time for the final Nuclear Security Summit in 2016.

Around the world, countries need to move at a much faster pace toward full implementation of the Code of Conduct’s security measures. The United States and other like-minded nations should intensify their diplomatic efforts so that this goal is reached within the next two years – at least, for all of the world’s category-1 sources. This initiative should be bolstered with additional support for less-wealthy countries.

Vigorous US action to strengthen security at home could help convince countries in Western Europe, whose domestic stakeholders have shown similar signs of overconfidence in their established practices, that they need to do a lot more, too. It is fortunate that neither the Western European nor the US systems for the protection of dangerous sources have been seriously tested so far.

Perhaps that’s because terrorists have believed in them, too. In 2004 one of them, the British national Dhiren Barot, explained in a memo to Al Qaeda leaders why he did not try to steal a high-radioactivity source from an English hospital. “Security is tight in these places,” he wrote. He was probably wrong at the time.

Ten years later, security may be tighter in some places. But some terrorists adapt, and they learn from incidents like the recent one in Mexico. Let’s hope that the good guys learn faster.